Automatic verification of SLA for Firewall Configuration in Grid Environments

Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008

Gian Luca VolpatoChristian GrimmMartin Janitschke

Page 2Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Motivation

Facilitate the integration of new resources into a Grid:

1. Definition of security profiles

2. Certification of firewall setup

3. Monitoring firewall configuration as part of the Service Level Agreements

Page 3

Summary

1. Firewall configuration issues

2. Classification of middleware components

3. Definition of security profiles

4. SLA extension

5. Tool for automatic verification of firewall configuration

6. Q&A

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Page 4

Integration of new partners

Installation of Grid middleware(s) Creation of local user accounts Registration to the information services … ... Configuration of firewall rules

If too restrictive prevent legitimate communications If too loose allow unauthorized communications

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Page 5

Classification of middleware components

Four categories of middleware components:

1. Computing frontends

2. Data frontends

3. Interactive nodes

4. Worker nodes

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Globus GRAM

UNICORE NJS

LCG/gLite CE

OGSA-DAI

dCache SE

Interactive node

Batch system

Worker Node

Worker Node

Worker Node

Worker Node

Worker Node

Worker Node

Worker Node

Page 6

Communication paths

Identification of network ports used by each component for incoming connections

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

GT 4.0 GRAM

28118443

20000-25000

dCache SE

213528118443

20000-25000

OGSA-DAI

8443

Page 7

Security profiles

Minimize the number of connections traversing firewalls

Range from basic services to complete set of functionality

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Level Computing Data Worker node

Interactive node

1 - -

2 -

3 -

4

Page 8

SLA extension

Each site declares which security profile will be implemented

Provide guarantee that communications to/from certain Grid services is allowed, i.e. firewall is correctly configured

Verification: before accepting a site in production periodically for all the duration of the collaboration

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Page 9

Verification of firewall configuration

Central service performing periodic verifications: requested ports are accessible all other ports are blocked

In a further evolution allow peer-to-peer verification of selected sites triggered on-demand

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Page 10Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

Page 11

Summary

1. Firewall configuration issues

2. Classification of middleware components

3. Definition of security profiles

4. SLA extension

5. Tool for automatic verification of firewall configuration

Q&A

Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008